This is a detailed how-to to enable voice/video/screensharing support in Nextcloud Talk installed in Nextcloud on Cloudron that is available from outside the local network by installing coturn turn/stun server.

Prequisites:
Nextcloud and Nextcloud Talk installed on Cloudron
'A' record setup on your DNS registrar's admin panel pointing to your cloudron server's public ip address with a name record chosen by you e.g. 'turn'

All the below commands should be run as root or with sudo.

1. Install coturn and persistent iptables:

apt-get install coturn iptables-persistent

2. Temporarily stop coturn:

systemctl stop coturn

3. Open ports for use with coturn (default ports in this example)

iptables -I INPUT -p tcp --dport 5349 -j ACCEPT
iptables -I INPUT -p udp --dport 5349 -j ACCEPT
iptables-save > /etc/iptables/rules.v4

4. Enable coturn daemon

Open the file /etc/default/coturn and remove the # in front of TURNSERVER_ENABLED=1 (i.e. uncomment it)

5. Make a backup of the original turnserver.conf file:

mv /etc/turnserver.conf /etc/turnserver.conf.orig

6. Create new /etc/turnserver.conf using nano or vim or whatever editor you choose as below referring to the comments for changes to be made for your installation:

#the port that you opened using iptables
tls-listening-port=5349

fingerprint
lt-cred-mech

use-auth-secret
# this is created by running the sed command in the detailed instrucions
static-auth-secret=replace-this-secret

# the domain that you create an A record for
realm=aaa.bbb.ccc

total-quota=100
stale-nonce=600

# the host domain certs that were created by cloudron on installation
cert=/home/yellowtent/boxdata/certs/xxx.yyy.host.cert
pkey=/home/yellowtent/boxdata/certs/xxx.yyy.host.key
# this will be created using openssl
dh-file=/home/yellowtent/boxdata/certs/dhparam.pem

cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"

no-sslv3
no-tlsv1
no-tlsv1_1


no-stdout-log

# this can be watched using tail -f for troubleshooting
log-file=/var/tmp/turn.log

# once everything is confirmed working you can comment out the above line & uncomment the following

#log-file=/dev/null

no-loopback-peers
no-multicast-peers

proc-user=turnserver
proc-group=turnserver

7. Create DiffieHellman (dhparam.pem) key exchange file for better TLS security. (this can take sometime - be patient)

openssl dhparam -out /home/yellowtent/boxdata/certs/dhparam.pem 4096

8. Start coturn

systemctl status coturn

9. In Nextcloud, login as an admin & go to the settings page & scroll down to the Talk settings. Add a new TURN server using the domain name you created an A record that appears in your turnserver.conf file after realm= followed by a colon with the tls-listening-port number that you opened - e.g. aaa.bbb.ccc:5349 and for secret enter the static-auth-secret in your turnserver.conf. Choose UDP and TCP. It should then check that it is working and a checkmark will temporarily appear confirming it works. You can also optionally enter the same server:port combination for adding your own STUN server.

You can go ahead & test a voice & or video chat between 2 clients. To troubleshoot you can tail the latest log file while attempting a chat e.g.

tail -f /var/tmp/turn_2019-08-23.log

never mind, you mentioned that as the first line of your comment.

Just to clarify - it is working with tls on coturn, installed & configured on the same vps as the cloudron install. It was very simple - just needed to get the turnserver.conf correct with a generated dh file & host certs in the yellowtent/boxdata/certs folder.

I have for another project identified https://github.com/instrumentisto/coturn-docker-image as a good base for running coturn (but actually did not yet get to implement it). This image is actively maintained and because of its alpine base quite small.

I found some good tutorials - https://meetrix.io/blog/webrtc/coturn/installation.html. I will keep looking for ideas on how to install coturn in a reverse proxy setup like https://github.com/coturn/coturn/issues/43

I have tried installing coturn on the host, adding iptable entries to open the tcp/udp ports, made them persistent & still no go. I'm not sure if I've setup the certs correctly. I pointed the config file to the host certs in /home/yellowtent/boxdata/certs. I have also tried without tls - still no go.

Anyone? I would of thought that many people using Nextcloud in a company/organisational setting would definitely benefit from Nextcloud Talk.

Would be ok to manually install coturn on the Cloudron server as per their instructions? If so, how would I open the coturn port on the server without messing up any cloudron security?